Instructure Pays Hackers for Stolen Data, Defying FBI Advice

Key Takeaways

• Instructure reached a deal with ShinyHunters after hackers stole data on 280 million Canvas users
• The FBI advises against paying ransoms but Instructure proceeded anyway
• ShinyHunters provided 'shred logs' as proof of data destruction

Education technology company Instructure has paid hackers to retrieve stolen customer data, directly contradicting FBI guidance on ransomware payments. The company announced it "reached an agreement" with hacker group ShinyHunters, which had breached its Canvas learning management system earlier this month.

The breach exposed names, email addresses, and private messages belonging to approximately 280 million Canvas users. ShinyHunters had threatened to leak the data if Instructure didn't respond by May 12.

What Instructure Got in Return

According to TechCrunch, Instructure received the stolen data back along with what the company calls "digital confirmation of data destruction (shred logs)" from ShinyHunters. The hackers also promised that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise."

Instructure has not disclosed the financial terms of the agreement. A previous version of the company's security update, reported by the BBC, stated: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible."

FBI Says Don't Pay

The FBI's position on ransomware payments is unambiguous. The bureau "does not support paying a ransom in response to a ransomware attack," according to its official guidance. Last week, the FBI's Cyber Division posted directly about the Canvas breach on X.

"If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands," the FBI wrote.

The logic behind this advice is straightforward. Paying ransoms funds criminal operations and provides no guarantee hackers will honor their promises. A criminal who breaks into systems for profit has little incentive to keep their word once paid.

ShinyHunters' Recent Targets

The Canvas breach wasn't ShinyHunters' only recent attack. The group claims to have breached Nvidia's GeForce Now service, saying it "pulled their entire database straight from the backend."

Last month, ShinyHunters also targeted Rockstar Games, demanding ransom related to GTA 6. That threat fizzled when it became clear the hackers didn't have much valuable data to leak.

What Happens Next

Instructure's latest security update doesn't explain why leadership chose to negotiate with criminals despite FBI guidance. The company says it will provide more details in an upcoming webinar covering "information about the cyber attack and our activities to harden the system."

This was actually ShinyHunters' second breach of Instructure's systems. That repeat attack raises questions about the company's security practices that a webinar may struggle to answer.

Frequently Asked Questions

How many users were affected by the Canvas data breach?

Approximately 280 million Canvas users had their names, email addresses, and private messages potentially exposed in the ShinyHunters breach.

Did Instructure pay a ransom to ShinyHunters?

Instructure confirmed it "reached an agreement" with ShinyHunters but has not disclosed the financial terms. The company received the stolen data back along with proof of data destruction.

What does the FBI say about paying ransomware demands?

The FBI explicitly advises against paying ransoms, stating it "does not support paying a ransom in response to a ransomware attack" and recommends not responding to hacker demands.

Who is ShinyHunters?

ShinyHunters is a hacker group that has recently targeted Instructure's Canvas platform, Nvidia's GeForce Now, and Rockstar Games. The group exfiltrates data and demands ransoms from victims.

Source: PCGamer latest